SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 66 of 66
  1. #51
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Vali View Post
    You can upload a PHP script with an image's header data, getImageSize will return OK, and the user just got access to your server.
    That is only the case if a) you allow the user to specify the file extension. b) If you setup the server to process files other then those ending in .php. IMO you should not change the extension of what files are executed by PHP.

    Otherwise its a non-issue. If it concerns you, make a copy with GD.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  2. #52
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    That is only the case if a) you allow the user to specify the file extension. b) If you setup the server to process files other then those ending in .php. IMO you should not change the extension of what files are executed by PHP.

    Otherwise its a non-issue. If it concerns you, make a copy with GD.
    Thanks logic_earth, that's exactly what I thought. There seems to be a fair amount of scare-mongering going on with little facts to back them up.

  3. #53
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by adam.jimenez View Post
    which is a problem how? unless of course the webserver has known vulnerabilities.
    One day you will wake up to see that PHP is not the only way to access the file system.

    I bet you're one of those people who never wears a seatbelt because you are such a good driver.

    Also, "known vulnerabilities" can be fixed, it's unknown ones that are more worrying.

  4. #54
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman View Post
    One day you will wake up to see that PHP is not the only way to access the file system.

    I bet you're one of those people who never wears a seatbelt because you are such a good driver.

    Also, "known vulnerabilities" can be fixed, it's unknown ones that are more worrying.
    No need to get personal. I'm not dismissing your view. I'd just like to see some tangible examples that I should be aware of.

  5. #55
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by adam.jimenez View Post
    I'd just like to see some tangible examples that I should be aware of.
    If you are not in control of the server it is very unlikely you will ever know what the vulnerabilities are. And even if you are in control there will still be thousands of vulnerabilities you would not be aware of. After all you are just one person, hackers on the other hand are teams of thousands.

    As for PHP's openbasedir restriction it's a bit like putting a huge secure gate to protect a plot of land and totally ignoring the perimeter fence. When you arrive at the plot you feel it is very secure because you only see the secure gate, but the reality is any Tom, Dick or Harry who owns a pair of side cutters can enter through the perimeter fence.

  6. #56
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman View Post
    If you are not in control of the server it is very unlikely you will ever know what the vulnerabilities are. And even if you are in control there will still be thousands of vulnerabilities you would not be aware of. After all you are just one person, hackers on the other hand are teams of thousands.

    As for PHP's openbasedir restriction it's a bit like putting a huge secure gate to protect a plot of land and totally ignoring the perimeter fence. When you arrive at the plot you feel it is very secure because you only see the secure gate, but the reality is any Tom, Dick or Harry who owns a pair of side cutters can enter through the perimeter fence.
    I get your point but how else would you handle file uploads without giving up 777?

    My approach has been to install as few components as possible / regularly make sure they are up-to-date and make plenty off-site back ups. From what I've seen many others use a similar approach. The times I've seen servers get hacked is when they haven't been updated in a long time or have no firewall protection.

    BTW apologies for veering off topic everyone!

  7. #57
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by adam.jimenez View Post
    I get your point but how else would you handle file uploads without giving up 777?
    If it is a shared server the only way to avoid 0777 and still use the file system is run PHP under SuExec.

  8. #58
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman View Post
    If it is a shared server the only way to avoid 0777 and still use the file system is run PHP under SuExec.
    Thanks for the tip, I will check that out.

  9. #59
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,104
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    To avoid the 777 issue, upload a zip file with your directory in it and use php to unzip it. Now the owner is root or Apache and php can work with it without changing permissions.

    My 2 cents
    What I lack in acuracy I make up for in misteaks

  10. #60
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    To avoid the 777 issue, upload a zip file with your directory in it and use php to unzip it. Now the owner is root or Apache and php can work with it without changing permissions.

    My 2 cents
    php will need perms to unzip in the first place.

    if apache is the owner then potentially any other sites can write to it.

    and if apache was running as root then i really would be worried!

  11. #61
    SitePoint Addict Trent Reimer's Avatar
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    228
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by adam.jimenez View Post
    the number 1 pro for database use:

    what's so hard about deleting a record and a file at the same time?
    This seems like a very weak argument compared to all the cons.
    It isn't very hard to coordinate, it's just not something you can guarantee at the same level of assurance as an ACID compliant database.

    My only beef with serving images from a database is the extra overhead.

  12. #62
    Non-Member
    Join Date
    Oct 2007
    Posts
    91
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use an ORM to store them anywhere you want while still keeping their signature in the DB. This will increase your DBs performance, and save you from scaling issues.

  13. #63
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman View Post
    If it is a shared server the only way to avoid 0777 and still use the file system is run PHP under SuExec.
    To be honest, if you are on a shared server. You want SuExec! Probably want it even on a dedicated server. It greatly improves the security.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  14. #64
    SitePoint Member
    Join Date
    Jun 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so is it good or not?

  15. #65
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,347
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by m4tty View Post
    so is it good or not?
    that depends... did you read the entire thread?
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  16. #66
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,653
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by m4tty View Post
    so is it good or not?
    From what I heard from her, no.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •